MyBB Community Forums
Is $db->query() vulnerable? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Extensions (https://community.mybb.com/forum-201.html)
+--- Forum: Plugins (https://community.mybb.com/forum-73.html)
+---- Forum: Plugin Development (https://community.mybb.com/forum-68.html)
+---- Thread: Is $db->query() vulnerable? (/thread-221116.html)



Is $db->query() vulnerable? - mariolatif741 - 2018-12-17

Hi,

The title just says it all...

Is the usage of POST or GET variables inside a 
$db->query();

query SQL vulnerable?
Thanks!


RE: Is $db->query() vulnerable? - labrocca - 2018-12-17

Can you provide an example query you think can exploit the query?

MyBB's $db class has mostly been the same, in regards to security, for a very long time. For plugins and core MyBB code you should use $db->escape_string() for variables which might contain injection code.

If you're using $db->query(), be sure to clean your code. As far as I know all the default usage of it is sanitized. Otherwise there is a default MySQL Injection vulnerability.


RE: Is $db->query() vulnerable? - Euan T - 2018-12-17

(2018-12-17, 05:32 PM)labrocca Wrote: Can you provide an example query you think can exploit the query?  

MyBB's $db class has mostly been the same, in regards to security, for a very long time. For plugins and core MyBB code you should use $db->escape_string() for variables which might contain injection code.  

If you're using $db->query(), be sure to clean your code.  As far as I know all the default usage of it is sanitized. Otherwise there is a default MySQL Injection vulnerability.

Exactly. When constructing a query using GET or POST parameters, always escape them or cast them. If the values are integer values, you can simply cast them to integers such as $uid = $mybb->get_input('pid', MyBB::INPUT_INT). Otherwise, escape them like $username = $db->escape_string($mybb->get_input('username').